Ensure Suppliers are Approved for IT and OT Sourcing
Ensure systems and equipment are bought from pre-approved suppliers to mitigate risks.
Plain language
Ensuring that all computer systems, software, and equipment come from approved suppliers is like making sure you buy food from a trusted farmer. It reduces the risk of getting poor-quality or unsafe products that could harm your organisation. If you don't do this, you might end up with systems that are not secure, leading to data breaches or costly downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Official control statement
Operating systems, applications, IT equipment, OT equipment and services are sourced from approved suppliers.
Why it matters
Sourcing IT/OT from unapproved suppliers increases supply-chain compromise risk, introducing insecure systems and services that can cause breaches and outages.
Operational notes
Maintain an approved supplier register for OS/apps/IT/OT and services; require procurement to use it, and review approvals quarterly with documented evidence.
Implementation tips
- Procurement team should maintain a list of approved suppliers: Regularly review and update this list by checking with industry standards, customer reviews, and past performance. Make sure each supplier complies with your organisation's security standards.
- IT managers should ensure purchases are from the approved list: Before buying any new technology, verify with the procurement team that the supplier is on the list. Use a checklist to confirm that the product meets all the necessary technical and security requirements.
- Security officers should evaluate supplier security practices: Gather information about each supplier's cybersecurity measures, such as their encryption methods or how they handle data breaches. Request certifications or reports from credible agencies like the Australian Cyber Security Centre (ACSC).
- Senior management should encourage continuous improvement: Promote a culture of security by holding regular meetings to discuss supplier performance and gather employee feedback. Implement a process for quickly removing suppliers from the list if they no longer meet security expectations.
Audit / evidence tips
- AskThe approved supplier list: Request the most recent list of approved suppliers used by the organisation GoodShows a list updated within the past year, with clear notations of compliance checks
- AskTo review recent purchase orders: Request documentation for the last five major technology purchases GoodIs purchase orders that match the approved list without exceptions
- AskSupplier compliance documents: Review any reports or certifications suppliers have provided, such as security audits or ISO certifications GoodIncludes current and valid compliance documents for each supplier
- AskRecords of supplier performance reviews: Request details from the last round of supplier evaluations GoodIs a documented evaluation that discusses both security practices and any issues encountered
- AskTo see the process for updating the supplier list: Request the policy or procedure for adding or removing suppliers from the approved list GoodContains a clear, formal process with defined roles and responsibilities for ensuring security compliance
Cross-framework mappings
How ISM-1787 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-1787 requires that operating systems, applications, IT/OT equipment and services are sourced only from approved suppliers | |
| Annex A 5.21 | ISM-1787 mandates organisations to only source IT/OT products and services from approved suppliers, reducing exposure to untrusted or hig... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.22 | ISM-1787 ensures IT/OT products and services are sourced from approved suppliers, establishing a controlled set of vendors | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.